From: Greg Kroah-Hartman Date: Sat, 27 Jan 2024 22:23:54 +0000 (-0800) Subject: 5.10-stable patches X-Git-Tag: v6.1.76~49 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=14ef31b608d302261171711ec79684cd2280bc4c;p=thirdparty%2Fkernel%2Fstable-queue.git 5.10-stable patches added patches: btrfs-defrag-reject-unknown-flags-of-btrfs_ioctl_defrag_range_args.patch btrfs-don-t-abort-filesystem-when-attempting-to-snapshot-deleted-subvolume.patch btrfs-don-t-warn-if-discard-range-is-not-aligned-to-sector.patch btrfs-ref-verify-free-ref-cache-before-clearing-mount-opt.patch btrfs-tree-checker-fix-inline-ref-size-in-error-messages.patch exec-fix-error-handling-in-begin_new_exec.patch gpiolib-acpi-ignore-touchpad-wakeup-on-gpd-g1619-04.patch netfilter-nf_tables-reject-queue-drop-verdict-parameters.patch netfilter-nft_chain_filter-handle-netdev_unregister-for-inet-ingress-basechain.patch rbd-don-t-move-requests-to-the-running-list-on-errors.patch wifi-iwlwifi-fix-a-memory-corruption.patch --- diff --git a/queue-5.10/btrfs-defrag-reject-unknown-flags-of-btrfs_ioctl_defrag_range_args.patch b/queue-5.10/btrfs-defrag-reject-unknown-flags-of-btrfs_ioctl_defrag_range_args.patch new file mode 100644 index 00000000000..3792e9d92e4 --- /dev/null +++ b/queue-5.10/btrfs-defrag-reject-unknown-flags-of-btrfs_ioctl_defrag_range_args.patch @@ -0,0 +1,54 @@ +From 173431b274a9a54fc10b273b46e67f46bcf62d2e Mon Sep 17 00:00:00 2001 +From: Qu Wenruo +Date: Wed, 10 Jan 2024 08:58:26 +1030 +Subject: btrfs: defrag: reject unknown flags of btrfs_ioctl_defrag_range_args + +From: Qu Wenruo + +commit 173431b274a9a54fc10b273b46e67f46bcf62d2e upstream. + +Add extra sanity check for btrfs_ioctl_defrag_range_args::flags. + +This is not really to enhance fuzzing tests, but as a preparation for +future expansion on btrfs_ioctl_defrag_range_args. + +In the future we're going to add new members, allowing more fine tuning +for btrfs defrag. Without the -ENONOTSUPP error, there would be no way +to detect if the kernel supports those new defrag features. + +CC: stable@vger.kernel.org # 4.14+ +Reviewed-by: Filipe Manana +Signed-off-by: Qu Wenruo +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/ioctl.c | 4 ++++ + include/uapi/linux/btrfs.h | 3 +++ + 2 files changed, 7 insertions(+) + +--- a/fs/btrfs/ioctl.c ++++ b/fs/btrfs/ioctl.c +@@ -3190,6 +3190,10 @@ static int btrfs_ioctl_defrag(struct fil + kfree(range); + goto out; + } ++ if (range.flags & ~BTRFS_DEFRAG_RANGE_FLAGS_SUPP) { ++ ret = -EOPNOTSUPP; ++ goto out; ++ } + /* compression requires us to start the IO */ + if ((range->flags & BTRFS_DEFRAG_RANGE_COMPRESS)) { + range->flags |= BTRFS_DEFRAG_RANGE_START_IO; +--- a/include/uapi/linux/btrfs.h ++++ b/include/uapi/linux/btrfs.h +@@ -576,6 +576,9 @@ struct btrfs_ioctl_clone_range_args { + */ + #define BTRFS_DEFRAG_RANGE_COMPRESS 1 + #define BTRFS_DEFRAG_RANGE_START_IO 2 ++#define BTRFS_DEFRAG_RANGE_FLAGS_SUPP (BTRFS_DEFRAG_RANGE_COMPRESS | \ ++ BTRFS_DEFRAG_RANGE_START_IO) ++ + struct btrfs_ioctl_defrag_range_args { + /* start of the defrag operation */ + __u64 start; diff --git a/queue-5.10/btrfs-don-t-abort-filesystem-when-attempting-to-snapshot-deleted-subvolume.patch b/queue-5.10/btrfs-don-t-abort-filesystem-when-attempting-to-snapshot-deleted-subvolume.patch new file mode 100644 index 00000000000..5e9b6f4d5bf --- /dev/null +++ b/queue-5.10/btrfs-don-t-abort-filesystem-when-attempting-to-snapshot-deleted-subvolume.patch @@ -0,0 +1,97 @@ +From 7081929ab2572920e94d70be3d332e5c9f97095a Mon Sep 17 00:00:00 2001 +From: Omar Sandoval +Date: Thu, 4 Jan 2024 11:48:46 -0800 +Subject: btrfs: don't abort filesystem when attempting to snapshot deleted subvolume + +From: Omar Sandoval + +commit 7081929ab2572920e94d70be3d332e5c9f97095a upstream. + +If the source file descriptor to the snapshot ioctl refers to a deleted +subvolume, we get the following abort: + + BTRFS: Transaction aborted (error -2) + WARNING: CPU: 0 PID: 833 at fs/btrfs/transaction.c:1875 create_pending_snapshot+0x1040/0x1190 [btrfs] + Modules linked in: pata_acpi btrfs ata_piix libata scsi_mod virtio_net blake2b_generic xor net_failover virtio_rng failover scsi_common rng_core raid6_pq libcrc32c + CPU: 0 PID: 833 Comm: t_snapshot_dele Not tainted 6.7.0-rc6 #2 + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-1.fc39 04/01/2014 + RIP: 0010:create_pending_snapshot+0x1040/0x1190 [btrfs] + RSP: 0018:ffffa09c01337af8 EFLAGS: 00010282 + RAX: 0000000000000000 RBX: ffff9982053e7c78 RCX: 0000000000000027 + RDX: ffff99827dc20848 RSI: 0000000000000001 RDI: ffff99827dc20840 + RBP: ffffa09c01337c00 R08: 0000000000000000 R09: ffffa09c01337998 + R10: 0000000000000003 R11: ffffffffb96da248 R12: fffffffffffffffe + R13: ffff99820535bb28 R14: ffff99820b7bd000 R15: ffff99820381ea80 + FS: 00007fe20aadabc0(0000) GS:ffff99827dc00000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 0000559a120b502f CR3: 00000000055b6000 CR4: 00000000000006f0 + Call Trace: + + ? create_pending_snapshot+0x1040/0x1190 [btrfs] + ? __warn+0x81/0x130 + ? create_pending_snapshot+0x1040/0x1190 [btrfs] + ? report_bug+0x171/0x1a0 + ? handle_bug+0x3a/0x70 + ? exc_invalid_op+0x17/0x70 + ? asm_exc_invalid_op+0x1a/0x20 + ? create_pending_snapshot+0x1040/0x1190 [btrfs] + ? create_pending_snapshot+0x1040/0x1190 [btrfs] + create_pending_snapshots+0x92/0xc0 [btrfs] + btrfs_commit_transaction+0x66b/0xf40 [btrfs] + btrfs_mksubvol+0x301/0x4d0 [btrfs] + btrfs_mksnapshot+0x80/0xb0 [btrfs] + __btrfs_ioctl_snap_create+0x1c2/0x1d0 [btrfs] + btrfs_ioctl_snap_create_v2+0xc4/0x150 [btrfs] + btrfs_ioctl+0x8a6/0x2650 [btrfs] + ? kmem_cache_free+0x22/0x340 + ? do_sys_openat2+0x97/0xe0 + __x64_sys_ioctl+0x97/0xd0 + do_syscall_64+0x46/0xf0 + entry_SYSCALL_64_after_hwframe+0x6e/0x76 + RIP: 0033:0x7fe20abe83af + RSP: 002b:00007ffe6eff1360 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 + RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 00007fe20abe83af + RDX: 00007ffe6eff23c0 RSI: 0000000050009417 RDI: 0000000000000003 + RBP: 0000000000000003 R08: 0000000000000000 R09: 00007fe20ad16cd0 + R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 + R13: 00007ffe6eff13c0 R14: 00007fe20ad45000 R15: 0000559a120b6d58 + + ---[ end trace 0000000000000000 ]--- + BTRFS: error (device vdc: state A) in create_pending_snapshot:1875: errno=-2 No such entry + BTRFS info (device vdc: state EA): forced readonly + BTRFS warning (device vdc: state EA): Skipping commit of aborted transaction. + BTRFS: error (device vdc: state EA) in cleanup_transaction:2055: errno=-2 No such entry + +This happens because create_pending_snapshot() initializes the new root +item as a copy of the source root item. This includes the refs field, +which is 0 for a deleted subvolume. The call to btrfs_insert_root() +therefore inserts a root with refs == 0. btrfs_get_new_fs_root() then +finds the root and returns -ENOENT if refs == 0, which causes +create_pending_snapshot() to abort. + +Fix it by checking the source root's refs before attempting the +snapshot, but after locking subvol_sem to avoid racing with deletion. + +CC: stable@vger.kernel.org # 4.14+ +Reviewed-by: Sweet Tea Dorminy +Reviewed-by: Anand Jain +Signed-off-by: Omar Sandoval +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/ioctl.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/fs/btrfs/ioctl.c ++++ b/fs/btrfs/ioctl.c +@@ -798,6 +798,9 @@ static int create_snapshot(struct btrfs_ + struct btrfs_trans_handle *trans; + int ret; + ++ if (btrfs_root_refs(&root->root_item) == 0) ++ return -ENOENT; ++ + if (!test_bit(BTRFS_ROOT_SHAREABLE, &root->state)) + return -EINVAL; + diff --git a/queue-5.10/btrfs-don-t-warn-if-discard-range-is-not-aligned-to-sector.patch b/queue-5.10/btrfs-don-t-warn-if-discard-range-is-not-aligned-to-sector.patch new file mode 100644 index 00000000000..1a867aa00c4 --- /dev/null +++ b/queue-5.10/btrfs-don-t-warn-if-discard-range-is-not-aligned-to-sector.patch @@ -0,0 +1,37 @@ +From a208b3f132b48e1f94f620024e66fea635925877 Mon Sep 17 00:00:00 2001 +From: David Sterba +Date: Mon, 15 Jan 2024 20:30:26 +0100 +Subject: btrfs: don't warn if discard range is not aligned to sector + +From: David Sterba + +commit a208b3f132b48e1f94f620024e66fea635925877 upstream. + +There's a warning in btrfs_issue_discard() when the range is not aligned +to 512 bytes, originally added in 4d89d377bbb0 ("btrfs: +btrfs_issue_discard ensure offset/length are aligned to sector +boundaries"). We can't do sub-sector writes anyway so the adjustment is +the only thing that we can do and the warning is unnecessary. + +CC: stable@vger.kernel.org # 4.19+ +Reported-by: syzbot+4a4f1eba14eb5c3417d1@syzkaller.appspotmail.com +Reviewed-by: Johannes Thumshirn +Reviewed-by: Anand Jain +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/extent-tree.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/fs/btrfs/extent-tree.c ++++ b/fs/btrfs/extent-tree.c +@@ -1202,7 +1202,8 @@ static int btrfs_issue_discard(struct bl + u64 bytes_left, end; + u64 aligned_start = ALIGN(start, 1 << 9); + +- if (WARN_ON(start != aligned_start)) { ++ /* Adjust the range to be aligned to 512B sectors if necessary. */ ++ if (start != aligned_start) { + len -= aligned_start - start; + len = round_down(len, 1 << 9); + start = aligned_start; diff --git a/queue-5.10/btrfs-ref-verify-free-ref-cache-before-clearing-mount-opt.patch b/queue-5.10/btrfs-ref-verify-free-ref-cache-before-clearing-mount-opt.patch new file mode 100644 index 00000000000..82c1ed88ebc --- /dev/null +++ b/queue-5.10/btrfs-ref-verify-free-ref-cache-before-clearing-mount-opt.patch @@ -0,0 +1,57 @@ +From f03e274a8b29d1d1c1bbd7f764766cb5ca537ab7 Mon Sep 17 00:00:00 2001 +From: Fedor Pchelkin +Date: Wed, 3 Jan 2024 13:31:27 +0300 +Subject: btrfs: ref-verify: free ref cache before clearing mount opt + +From: Fedor Pchelkin + +commit f03e274a8b29d1d1c1bbd7f764766cb5ca537ab7 upstream. + +As clearing REF_VERIFY mount option indicates there were some errors in a +ref-verify process, a ref cache is not relevant anymore and should be +freed. + +btrfs_free_ref_cache() requires REF_VERIFY option being set so call +it just before clearing the mount option. + +Found by Linux Verification Center (linuxtesting.org) with Syzkaller. + +Reported-by: syzbot+be14ed7728594dc8bd42@syzkaller.appspotmail.com +Fixes: fd708b81d972 ("Btrfs: add a extent ref verify tool") +CC: stable@vger.kernel.org # 5.4+ +Closes: https://lore.kernel.org/lkml/000000000000e5a65c05ee832054@google.com/ +Reported-by: syzbot+c563a3c79927971f950f@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/lkml/0000000000007fe09705fdc6086c@google.com/ +Reviewed-by: Anand Jain +Signed-off-by: Fedor Pchelkin +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/ref-verify.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/fs/btrfs/ref-verify.c ++++ b/fs/btrfs/ref-verify.c +@@ -899,8 +899,10 @@ int btrfs_ref_tree_mod(struct btrfs_fs_i + out_unlock: + spin_unlock(&fs_info->ref_verify_lock); + out: +- if (ret) ++ if (ret) { ++ btrfs_free_ref_cache(fs_info); + btrfs_clear_opt(fs_info->mount_opt, REF_VERIFY); ++ } + return ret; + } + +@@ -1029,8 +1031,8 @@ int btrfs_build_ref_tree(struct btrfs_fs + } + } + if (ret) { +- btrfs_clear_opt(fs_info->mount_opt, REF_VERIFY); + btrfs_free_ref_cache(fs_info); ++ btrfs_clear_opt(fs_info->mount_opt, REF_VERIFY); + } + btrfs_free_path(path); + return ret; diff --git a/queue-5.10/btrfs-tree-checker-fix-inline-ref-size-in-error-messages.patch b/queue-5.10/btrfs-tree-checker-fix-inline-ref-size-in-error-messages.patch new file mode 100644 index 00000000000..37cac1a695a --- /dev/null +++ b/queue-5.10/btrfs-tree-checker-fix-inline-ref-size-in-error-messages.patch @@ -0,0 +1,35 @@ +From f398e70dd69e6ceea71463a5380e6118f219197e Mon Sep 17 00:00:00 2001 +From: Chung-Chiang Cheng +Date: Fri, 12 Jan 2024 15:41:05 +0800 +Subject: btrfs: tree-checker: fix inline ref size in error messages + +From: Chung-Chiang Cheng + +commit f398e70dd69e6ceea71463a5380e6118f219197e upstream. + +The error message should accurately reflect the size rather than the +type. + +Fixes: f82d1c7ca8ae ("btrfs: tree-checker: Add EXTENT_ITEM and METADATA_ITEM check") +CC: stable@vger.kernel.org # 5.4+ +Reviewed-by: Filipe Manana +Reviewed-by: Qu Wenruo +Signed-off-by: Chung-Chiang Cheng +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/tree-checker.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/btrfs/tree-checker.c ++++ b/fs/btrfs/tree-checker.c +@@ -1334,7 +1334,7 @@ static int check_extent_item(struct exte + if (ptr + btrfs_extent_inline_ref_size(inline_type) > end) { + extent_err(leaf, slot, + "inline ref item overflows extent item, ptr %lu iref size %u end %lu", +- ptr, inline_type, end); ++ ptr, btrfs_extent_inline_ref_size(inline_type), end); + return -EUCLEAN; + } + diff --git a/queue-5.10/exec-fix-error-handling-in-begin_new_exec.patch b/queue-5.10/exec-fix-error-handling-in-begin_new_exec.patch new file mode 100644 index 00000000000..7b61e64f1aa --- /dev/null +++ b/queue-5.10/exec-fix-error-handling-in-begin_new_exec.patch @@ -0,0 +1,37 @@ +From 84c39ec57d409e803a9bb6e4e85daf1243e0e80b Mon Sep 17 00:00:00 2001 +From: Bernd Edlinger +Date: Mon, 22 Jan 2024 19:34:21 +0100 +Subject: exec: Fix error handling in begin_new_exec() + +From: Bernd Edlinger + +commit 84c39ec57d409e803a9bb6e4e85daf1243e0e80b upstream. + +If get_unused_fd_flags() fails, the error handling is incomplete because +bprm->cred is already set to NULL, and therefore free_bprm will not +unlock the cred_guard_mutex. Note there are two error conditions which +end up here, one before and one after bprm->cred is cleared. + +Fixes: b8a61c9e7b4a ("exec: Generic execfd support") +Signed-off-by: Bernd Edlinger +Acked-by: Eric W. Biederman +Link: https://lore.kernel.org/r/AS8P193MB128517ADB5EFF29E04389EDAE4752@AS8P193MB1285.EURP193.PROD.OUTLOOK.COM +Cc: stable@vger.kernel.org +Signed-off-by: Kees Cook +Signed-off-by: Greg Kroah-Hartman +--- + fs/exec.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/fs/exec.c ++++ b/fs/exec.c +@@ -1392,6 +1392,9 @@ int begin_new_exec(struct linux_binprm * + + out_unlock: + up_write(&me->signal->exec_update_lock); ++ if (!bprm->cred) ++ mutex_unlock(&me->signal->cred_guard_mutex); ++ + out: + return retval; + } diff --git a/queue-5.10/gpiolib-acpi-ignore-touchpad-wakeup-on-gpd-g1619-04.patch b/queue-5.10/gpiolib-acpi-ignore-touchpad-wakeup-on-gpd-g1619-04.patch new file mode 100644 index 00000000000..7779911b8b5 --- /dev/null +++ b/queue-5.10/gpiolib-acpi-ignore-touchpad-wakeup-on-gpd-g1619-04.patch @@ -0,0 +1,46 @@ +From 805c74eac8cb306dc69b87b6b066ab4da77ceaf1 Mon Sep 17 00:00:00 2001 +From: Mario Limonciello +Date: Wed, 17 Jan 2024 08:29:42 -0600 +Subject: gpiolib: acpi: Ignore touchpad wakeup on GPD G1619-04 + +From: Mario Limonciello + +commit 805c74eac8cb306dc69b87b6b066ab4da77ceaf1 upstream. + +Spurious wakeups are reported on the GPD G1619-04 which +can be absolved by programming the GPIO to ignore wakeups. + +Cc: stable@vger.kernel.org +Reported-and-tested-by: George Melikov +Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/3073 +Signed-off-by: Mario Limonciello +Reviewed-by: Andy Shevchenko +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpio/gpiolib-acpi.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +--- a/drivers/gpio/gpiolib-acpi.c ++++ b/drivers/gpio/gpiolib-acpi.c +@@ -1479,6 +1479,20 @@ static const struct dmi_system_id gpioli + .ignore_wake = "INT33FF:01@0", + }, + }, ++ { ++ /* ++ * Spurious wakeups from TP_ATTN# pin ++ * Found in BIOS 0.35 ++ * https://gitlab.freedesktop.org/drm/amd/-/issues/3073 ++ */ ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "GPD"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "G1619-04"), ++ }, ++ .driver_data = &(struct acpi_gpiolib_dmi_quirk) { ++ .ignore_wake = "PNP0C50:00@8", ++ }, ++ }, + {} /* Terminating entry */ + }; + diff --git a/queue-5.10/netfilter-nf_tables-reject-queue-drop-verdict-parameters.patch b/queue-5.10/netfilter-nf_tables-reject-queue-drop-verdict-parameters.patch new file mode 100644 index 00000000000..c78bd7e9586 --- /dev/null +++ b/queue-5.10/netfilter-nf_tables-reject-queue-drop-verdict-parameters.patch @@ -0,0 +1,69 @@ +From f342de4e2f33e0e39165d8639387aa6c19dff660 Mon Sep 17 00:00:00 2001 +From: Florian Westphal +Date: Sat, 20 Jan 2024 22:50:04 +0100 +Subject: netfilter: nf_tables: reject QUEUE/DROP verdict parameters + +From: Florian Westphal + +commit f342de4e2f33e0e39165d8639387aa6c19dff660 upstream. + +This reverts commit e0abdadcc6e1. + +core.c:nf_hook_slow assumes that the upper 16 bits of NF_DROP +verdicts contain a valid errno, i.e. -EPERM, -EHOSTUNREACH or similar, +or 0. + +Due to the reverted commit, its possible to provide a positive +value, e.g. NF_ACCEPT (1), which results in use-after-free. + +Its not clear to me why this commit was made. + +NF_QUEUE is not used by nftables; "queue" rules in nftables +will result in use of "nft_queue" expression. + +If we later need to allow specifiying errno values from userspace +(do not know why), this has to call NF_DROP_GETERR and check that +"err <= 0" holds true. + +Fixes: e0abdadcc6e1 ("netfilter: nf_tables: accept QUEUE/DROP verdict parameters") +Cc: stable@vger.kernel.org +Reported-by: Notselwyn +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman +--- + net/netfilter/nf_tables_api.c | 16 ++++++---------- + 1 file changed, 6 insertions(+), 10 deletions(-) + +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -9340,16 +9340,10 @@ static int nft_verdict_init(const struct + data->verdict.code = ntohl(nla_get_be32(tb[NFTA_VERDICT_CODE])); + + switch (data->verdict.code) { +- default: +- switch (data->verdict.code & NF_VERDICT_MASK) { +- case NF_ACCEPT: +- case NF_DROP: +- case NF_QUEUE: +- break; +- default: +- return -EINVAL; +- } +- fallthrough; ++ case NF_ACCEPT: ++ case NF_DROP: ++ case NF_QUEUE: ++ break; + case NFT_CONTINUE: + case NFT_BREAK: + case NFT_RETURN: +@@ -9384,6 +9378,8 @@ static int nft_verdict_init(const struct + + data->verdict.chain = chain; + break; ++ default: ++ return -EINVAL; + } + + desc->len = sizeof(data->verdict); diff --git a/queue-5.10/netfilter-nft_chain_filter-handle-netdev_unregister-for-inet-ingress-basechain.patch b/queue-5.10/netfilter-nft_chain_filter-handle-netdev_unregister-for-inet-ingress-basechain.patch new file mode 100644 index 00000000000..3f8dc99c279 --- /dev/null +++ b/queue-5.10/netfilter-nft_chain_filter-handle-netdev_unregister-for-inet-ingress-basechain.patch @@ -0,0 +1,57 @@ +From 01acb2e8666a6529697141a6017edbf206921913 Mon Sep 17 00:00:00 2001 +From: Pablo Neira Ayuso +Date: Thu, 18 Jan 2024 10:56:26 +0100 +Subject: netfilter: nft_chain_filter: handle NETDEV_UNREGISTER for inet/ingress basechain + +From: Pablo Neira Ayuso + +commit 01acb2e8666a6529697141a6017edbf206921913 upstream. + +Remove netdevice from inet/ingress basechain in case NETDEV_UNREGISTER +event is reported, otherwise a stale reference to netdevice remains in +the hook list. + +Fixes: 60a3815da702 ("netfilter: add inet ingress support") +Cc: stable@vger.kernel.org +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman +--- + net/netfilter/nft_chain_filter.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +--- a/net/netfilter/nft_chain_filter.c ++++ b/net/netfilter/nft_chain_filter.c +@@ -358,9 +358,10 @@ static int nf_tables_netdev_event(struct + unsigned long event, void *ptr) + { + struct net_device *dev = netdev_notifier_info_to_dev(ptr); ++ struct nft_base_chain *basechain; + struct nftables_pernet *nft_net; +- struct nft_table *table; + struct nft_chain *chain, *nr; ++ struct nft_table *table; + struct nft_ctx ctx = { + .net = dev_net(dev), + }; +@@ -372,7 +373,8 @@ static int nf_tables_netdev_event(struct + nft_net = net_generic(ctx.net, nf_tables_net_id); + mutex_lock(&nft_net->commit_mutex); + list_for_each_entry(table, &nft_net->tables, list) { +- if (table->family != NFPROTO_NETDEV) ++ if (table->family != NFPROTO_NETDEV && ++ table->family != NFPROTO_INET) + continue; + + ctx.family = table->family; +@@ -381,6 +383,11 @@ static int nf_tables_netdev_event(struct + if (!nft_is_base_chain(chain)) + continue; + ++ basechain = nft_base_chain(chain); ++ if (table->family == NFPROTO_INET && ++ basechain->ops.hooknum != NF_INET_INGRESS) ++ continue; ++ + ctx.chain = chain; + nft_netdev_event(event, dev, &ctx); + } diff --git a/queue-5.10/rbd-don-t-move-requests-to-the-running-list-on-errors.patch b/queue-5.10/rbd-don-t-move-requests-to-the-running-list-on-errors.patch new file mode 100644 index 00000000000..e7f5d44e7ff --- /dev/null +++ b/queue-5.10/rbd-don-t-move-requests-to-the-running-list-on-errors.patch @@ -0,0 +1,77 @@ +From ded080c86b3f99683774af0441a58fc2e3d60cae Mon Sep 17 00:00:00 2001 +From: Ilya Dryomov +Date: Wed, 17 Jan 2024 18:59:44 +0100 +Subject: rbd: don't move requests to the running list on errors + +From: Ilya Dryomov + +commit ded080c86b3f99683774af0441a58fc2e3d60cae upstream. + +The running list is supposed to contain requests that are pinning the +exclusive lock, i.e. those that must be flushed before exclusive lock +is released. When wake_lock_waiters() is called to handle an error, +requests on the acquiring list are failed with that error and no +flushing takes place. Briefly moving them to the running list is not +only pointless but also harmful: if exclusive lock gets acquired +before all of their state machines are scheduled and go through +rbd_lock_del_request(), we trigger + + rbd_assert(list_empty(&rbd_dev->running_list)); + +in rbd_try_acquire_lock(). + +Cc: stable@vger.kernel.org +Fixes: 637cd060537d ("rbd: new exclusive lock wait/wake code") +Signed-off-by: Ilya Dryomov +Reviewed-by: Dongsheng Yang +Signed-off-by: Greg Kroah-Hartman +--- + drivers/block/rbd.c | 22 ++++++++++++++-------- + 1 file changed, 14 insertions(+), 8 deletions(-) + +--- a/drivers/block/rbd.c ++++ b/drivers/block/rbd.c +@@ -3517,14 +3517,15 @@ static bool rbd_lock_add_request(struct + static void rbd_lock_del_request(struct rbd_img_request *img_req) + { + struct rbd_device *rbd_dev = img_req->rbd_dev; +- bool need_wakeup; ++ bool need_wakeup = false; + + lockdep_assert_held(&rbd_dev->lock_rwsem); + spin_lock(&rbd_dev->lock_lists_lock); +- rbd_assert(!list_empty(&img_req->lock_item)); +- list_del_init(&img_req->lock_item); +- need_wakeup = (rbd_dev->lock_state == RBD_LOCK_STATE_RELEASING && +- list_empty(&rbd_dev->running_list)); ++ if (!list_empty(&img_req->lock_item)) { ++ list_del_init(&img_req->lock_item); ++ need_wakeup = (rbd_dev->lock_state == RBD_LOCK_STATE_RELEASING && ++ list_empty(&rbd_dev->running_list)); ++ } + spin_unlock(&rbd_dev->lock_lists_lock); + if (need_wakeup) + complete(&rbd_dev->releasing_wait); +@@ -3907,14 +3908,19 @@ static void wake_lock_waiters(struct rbd + return; + } + +- list_for_each_entry(img_req, &rbd_dev->acquiring_list, lock_item) { ++ while (!list_empty(&rbd_dev->acquiring_list)) { ++ img_req = list_first_entry(&rbd_dev->acquiring_list, ++ struct rbd_img_request, lock_item); + mutex_lock(&img_req->state_mutex); + rbd_assert(img_req->state == RBD_IMG_EXCLUSIVE_LOCK); ++ if (!result) ++ list_move_tail(&img_req->lock_item, ++ &rbd_dev->running_list); ++ else ++ list_del_init(&img_req->lock_item); + rbd_img_schedule(img_req, result); + mutex_unlock(&img_req->state_mutex); + } +- +- list_splice_tail_init(&rbd_dev->acquiring_list, &rbd_dev->running_list); + } + + static bool locker_equal(const struct ceph_locker *lhs, diff --git a/queue-5.10/series b/queue-5.10/series index 4de0c7822f3..0bdf8a96509 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -60,3 +60,14 @@ net-mvpp2-clear-bm-pool-before-initialization.patch selftests-netdevsim-fix-the-udp_tunnel_nic-test.patch fjes-fix-memleaks-in-fjes_hw_setup.patch net-fec-fix-the-unhandled-context-fault-from-smmu.patch +btrfs-ref-verify-free-ref-cache-before-clearing-mount-opt.patch +btrfs-tree-checker-fix-inline-ref-size-in-error-messages.patch +btrfs-don-t-warn-if-discard-range-is-not-aligned-to-sector.patch +btrfs-defrag-reject-unknown-flags-of-btrfs_ioctl_defrag_range_args.patch +btrfs-don-t-abort-filesystem-when-attempting-to-snapshot-deleted-subvolume.patch +rbd-don-t-move-requests-to-the-running-list-on-errors.patch +exec-fix-error-handling-in-begin_new_exec.patch +wifi-iwlwifi-fix-a-memory-corruption.patch +netfilter-nft_chain_filter-handle-netdev_unregister-for-inet-ingress-basechain.patch +netfilter-nf_tables-reject-queue-drop-verdict-parameters.patch +gpiolib-acpi-ignore-touchpad-wakeup-on-gpd-g1619-04.patch diff --git a/queue-5.10/wifi-iwlwifi-fix-a-memory-corruption.patch b/queue-5.10/wifi-iwlwifi-fix-a-memory-corruption.patch new file mode 100644 index 00000000000..fae8f1bb4e0 --- /dev/null +++ b/queue-5.10/wifi-iwlwifi-fix-a-memory-corruption.patch @@ -0,0 +1,36 @@ +From cf4a0d840ecc72fcf16198d5e9c505ab7d5a5e4d Mon Sep 17 00:00:00 2001 +From: Emmanuel Grumbach +Date: Thu, 11 Jan 2024 15:07:25 +0200 +Subject: wifi: iwlwifi: fix a memory corruption + +From: Emmanuel Grumbach + +commit cf4a0d840ecc72fcf16198d5e9c505ab7d5a5e4d upstream. + +iwl_fw_ini_trigger_tlv::data is a pointer to a __le32, which means that +if we copy to iwl_fw_ini_trigger_tlv::data + offset while offset is in +bytes, we'll write past the buffer. + +Cc: stable@vger.kernel.org +Closes: https://bugzilla.kernel.org/show_bug.cgi?id=218233 +Fixes: cf29c5b66b9f ("iwlwifi: dbg_ini: implement time point handling") +Signed-off-by: Emmanuel Grumbach +Signed-off-by: Miri Korenblit +Link: https://msgid.link/20240111150610.2d2b8b870194.I14ed76505a5cf87304e0c9cc05cc0ae85ed3bf91@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/intel/iwlwifi/iwl-dbg-tlv.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/wireless/intel/iwlwifi/iwl-dbg-tlv.c ++++ b/drivers/net/wireless/intel/iwlwifi/iwl-dbg-tlv.c +@@ -876,7 +876,7 @@ static int iwl_dbg_tlv_override_trig_nod + node_trig = (void *)node_tlv->data; + } + +- memcpy(node_trig->data + offset, trig->data, trig_data_len); ++ memcpy((u8 *)node_trig->data + offset, trig->data, trig_data_len); + node_tlv->length = cpu_to_le32(size); + + if (policy & IWL_FW_INI_APPLY_POLICY_OVERRIDE_CFG) {